#VU42487 Resource management error in rsyslog - CVE-2013-4758
Published: October 4, 2013 / Updated: August 10, 2020
Vulnerability identifier: #VU42487
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2013-4758
CWE-ID: CWE-399
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
rsyslog
rsyslog
Software vendor:
rsyslog.com
rsyslog.com
Description
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Double free vulnerability in the writeDataError function in the ElasticSearch plugin (omelasticsearch) in rsyslog before 7.4.2 and before 7.5.2 devel, when errorfile is set to local logging, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted JSON response.
Remediation
Install update from vendor's website.